phantom_token_introspection_endpoint

The phantom_token_introspection_endpoint directive is utilized within a location block in the NGINX configuration to define the endpoint that will be used to introspect access tokens. When a request is made that includes an OAuth access token in the Authorization header, the Phantom Token NGINX Module extracts this token and makes a call to the configured introspection endpoint. This endpoint, which typically points to a Curity Identity Server, responds with a JWT if the access token is valid.

This mechanism is in compliance with the Token Introspection framework outlined in RFC 7662, allowing for dynamic verification of tokens. If the introspection is successful, the corresponding JWT will be retrieved and forwarded to the back-end services, replacing the original token in the request. If the access token is either absent or invalid, the NGINX server will deny access by returning a 401 Unauthorized response without forwarding the request to the back-end.

The directive takes one argument, which is the URI of the introspection endpoint. It must be noted that proper configurations regarding scopes and client credentials might also need to be set for the module to function correctly. Moreover, caching can be configured to optimize performance by reducing the number of introspection calls made to the identity server for repeated valid tokens.